Insurers mull proposed cyber rules

The National Association of Insurance Commissioners' cyber security regulatory guidance for the insurance industry is receiving generally positive reviews.

The guidance spells out a dozen principles for regulators to follow when dealing with insurer-related cyber security issues. The principles, unveiled April 17, “will serve as the foundation for protection of sensitive consumer information held by insurers as well as insurance producers and guide regulators who oversee the insurance industry,” NAIC President Monica J. Lindeen said in a statement

Ms. Lindeen also serves as Montana commissioner of securities and insurance.

“It was certainly an appropriate step for the NAIC to take, with all the increased intense interest in cyber security” said Paul Tetrault, state and policy affairs counsel for the Indianapolis-based National Association of Mutual Insurance Cos. The breaches at health insurance companies “certainly put an intensified focus on cyber security as it relates to insurers.”

He said the data breach at health insurer Anthem Inc. made it clear it was urgent for the NAIC to take action.

In separate activity last week, the U.S. House passed legislation that would extend liability protection to companies that share cyber attack information with the Department of Homeland Security, companion legislation to a House-approved measure that would shield private companies that share cyber security threat information without fear of litigation. The Senate reportedly was expected to approve the legislation and the White House also supported passage, saying it believed any concerns could be resolved.

As for the NAIC's plan, it said cyber security regulatory guidance should be “scalable, practical and consistent with nationally recognized efforts such as those embodied in the National Institute of Standards and Technology,” according to principles the insurance regulatory group's cyber security task force adopted.

The emphasis on flexibility and scalability is particularly important, observers say.

“Everyone is behind the idea that it makes sense to have regulatory guidance, but the guidance needs to have some flexibility,” said Laura Foggan, a partner at Wiley Rein L.L.P. in Washington. Such guidance also needs to be practical, and there's “some sense the NAIC recognized that.”

The guidance “says flexibility and scalability are crucial, and I think that's what the industry needs to hear,” said, Lawrence H. Mirel, a partner in the Washington office of Nelson Brown Hamilton & Krekstein L.L.C., which does business as Nelson Brown & Co.

“You can't make (small companies) do things that big companies easily can do and that would sink a small company,” said the former District of Columbia insurance commissioner.

“It's significant that the NAIC has given a lot of attention to cyber security issues,” Ms. Foggan said. “The principles are important and to some extent they appear to have gone beyond principles in the specificity and prescription. There's kind of a directive tone of some of the principles.”

The document is “tremendously important” because the NAIC represents the primary regulators of the industry, said Tom Glassic, vice president of policy and government relations at the Property Casualty Insurers Association of America in Washington.

He noted that under the Gramm-Leach-Bliley Act, the authority to enforce privacy rules is specifically granted to insurance regulators.

The principles also hold that cyber security risks should be incorporated and addressed as part of underwriters' or producers' enterprise risk management process. “Cyber security transcends the information technology department and must include all facets of an organization,” according to the NAIC.

In addition, the principles say regulatory guidance must be risk-based “and must consider the resources of the insurer or insurance producer.” However, a minimum set of cyber security standards must be in place for “all insurers and insurance producers that are physically connected to the Internet and/or other public data networks,” the NAIC said.

“The NAIC guiding principles help lay a foundation to prevent the disclosure of personally identifiable information and best positions those in the insurance industry should breach occur, if action is taken against them,” said James Woods, co-leader of Mayer Brown's Global Insurance Industry Group in New York. “The best prepared companies will be able to state that they have used reasonable efforts to prevent a cyber attack and have taken reasonable efforts to protect personally identifiable information and have evidence to prove that.”

No one expects the guidance to be insurance commissioners' last word on the subject.

“It's a road map,” said Ms. Foggan. “We've seen a lot of state insurance regulators follow NAIC guidance and model legislation in other contexts. I think this will be a starting place for discussion at the state level.”

“Generally, it's pretty good,” said Mr. Mirel. “Obviously, it's a work in progress,” he said, adding the principles “seem to be quite reasonable to me.”